Breaking Down the Benefits of Hacker-Powered Pen Tests
Forrester Consulting recently published “The Total Economic Impact Of HackerOne Challenge: Improved Security And Compliance”. This blog takes a look at some of Forrester’s main findings including improved security, “the most important benefit of using HackerOne Challenge”.
For all our readers, penetration testing as a service offering was the focus of this comparison. We <3 pentesters, and recognize that many members of the HackerOne community are pentesters - for all your contributions to improved security we respect and thank you.
Read on for more about how hacker-powered pen tests outperform the traditional pen test model when targeting audited SOC 2 Type II and PCI DSS compliance certification.
Auditor Ready and Improved Security
Customers interviewed by Forrester said traditional pen testing often missed critical vulnerabilities. Other times, traditional pen test firms included irrelevant vulnerabilities such as needing physical access to a machine. This misalignment left systems vulnerable and risked breaches that could result in large remediations costs, lost customers and revenue, and reputational damage.
“[Pen testing] used to be a frustrating process. What they were finding wasn’t relevant. For example, they said the password was being exposed in the computer’s memory. What does it matter? If you broke in and got physical access to the computer, you could put in a keylogger. They weren’t finding practical exploits.”- HackerOne Challenge customer
More Vulnerabilities and Better Remediation Guidance with HackerOne
The most important benefit of switching to HackerOne Challenge was finding more vulnerabilities, both in terms of numbers and criticality.
Interviewees said that the quality of pen testing performed by HackerOne was of a high caliber, a benefit of tapping into a wide range of hacker skills and experiences.
“The biggest benefit is the nature of the hackers. They are skilled and motivated. They will actually find things. I don’t know why the previous pen testers did not.” - HackerOne Challenge customer
Interviewees also said that they received findings and recommendations faster, which allowed for an iterative remediation process. In contrast, the traditional pen test findings were delivered all at once and usually too late to actively remediate before release.
“Before, an external company would do a pen test and then report on it. We would then have to make fixes and run the test again. Now we have a state of continuous compliance. It has made audits more agile.” - HackerOne Challenge customer
Altogether, this reduced the risk of a breach and improved audit documentation per Forrester.
You can download Forrester’s “The Total Economic Impact Of HackerOne Challenge: Improved Security And Compliance” for free and learn about the estimated payback time and ROI of HackerOne Challenge accorder to Forrester Consulting.